VICE ADMIRAL RICHARD W. MAYO, USN
SPACE, INFORMATION WARFARE,
COMMAND AND CONTROL
OFFICE OF THE
CHIEF OF NAVAL OPERATIONS
ON INFORMATION TECHNOLOGY:
AN EXAMINATION OF DOD NETWORK VULNERABILITIES
Weldon, distinguished members of the Readiness Subcommittee,
I am Vice Admiral Dick Mayo, Director of Space, Information
Warfare, and Command and Control on the Navy staff.
Thank you for the opportunity to appear today
and discuss the Navy approach, accomplishments and challenges
with protecting our information networks. My comments focus on the nature of the Navy's computer network
defenses and the measures we have taken to strengthen
the security of our systems.
I will also update you on the Navy/Marine Corps
Intranet (NMCI) initiative.
Navy is currently transitioning to an entirely new and
innovative way of conducting operations through the
implementation of the concept for Network-Centric Operations
Operations represents a truly revolutionary approach
to warfighting, shifting emphasis from attrition-based
warfare, reliant on the firepower of loosely coordinated
individual platforms, to Effects-Based Operations intended
to achieve our warfighting objectives through carefully
planned and integrated actions against key enemy vulnerabilities.
NCO draws combat power from the networking of
a multitude of platforms, weapons, sensors, and command
and control entities, collectively self-organized through
access to common view of the battlespace.
The enabling technology foundation for this new
mode of operations is a network backbone, applying common
standards for hardware, software, and communication
first evolutionary implementation is the deployment
of a single naval network applying Internet Protocol
communication standards, afloat with the Information
Technology for the 21st Century (IT21) initiative
and ashore with the Navy/Marine Corps Intranet (NMCI).
Investments in our Navy, such as NMCI and IT21,
guarantee the freedom of the seas that ensures the uninterrupted
flow of maritime trade that is critical to U.S. economic
forward deployed forces represent sovereign combat power
overseas in regions of U.S. interest, providing timely
response in crisis as well as capabilities to project
both offensive and defensive power ashore to assure
access for the Joint force.
Our growing reliance on a standardized and seamless Navy/Marine
Corps-wide network creates vast new synergies for improved
operational efficiencies; however, it also presents
formidable challenges to the protection of our information
systems as well as the integrity of our information
increasing interconnectivity of our forces through networking
provides additional opportunities for intrusion into
our network infrastructure, deception through manipulation
of our information resources, or outright computer network
requirement to operate across multiple security levels
that are interoperable not only across the military
services, but also with our Allies and coalition partners,
and with unclassified entities within industry, government,
and academia provides many avenues for exploitation
and attack. The
protection of the Navy's information networks and its
ability to support our forces must be preserved throughout
the full spectrum of operational conditions.
the Navy's Chief Information Officer and Director for
Space, Information Warfare, Command and Control, I am
the principal agent for the Navy in the area of Information
Navy's strategy for Information Assurance applies a
comprehensive set of defensive measures that we call
"defense-in-depth," employing a layered, end-to-end
protection mechanisms are employed throughout the network
architecture beginning with the external network boundaries
and firewalls down to the application layer.
In its most essential sense, defense-in-depth
consists of the technologies we employ in the network
to monitor and control activity, the policies we enforce
to define permissible activities, and, most importantly,
the training we provide to all hands because, in the
final analysis, computer network defense is something
you DO, not something you buy.
To support this strategy for "defense-in-depth,"
the Navy has created several new organizations that
are at the forefront in the development of innovative
technologies, processes and applications for Information
the realm of tools and technologies, the Commander,
Space and Naval Warfare Systems Command (SPAWAR) is
responsible for procurement, installation and management
of security devices that comprise our protection systems.
We have designated SPAWAR's IA program manager as the
IA technical and certification authority on all technical
SPAWAR determines which firewalls, intrusion
detection systems, high assurance guards and other devices
will be employed within the network.
Additionally, SPAWAR oversees the certification
of new systems and applications to be used in the network
space, providing network-wide standards for quality
control and compliance.
Navy's IA technical authority also maintains
a web site as an up-to-date resource that includes an
IA software toolkit (such as virus scanners and a secure
copying program), IA policy and guidance, and certification
technical authority also develops our IA technical publications
that contain detailed defensive system configuration
guidance, and IA technical procedures in general.
Most importantly, the technical authority works
with acquisition program managers throughout the Department
of the Navy to ensure that technical security requirements
are being met in all programs.
a consequence of a computer network intrusion labeled
"Solar Sunrise," then-DEPSECDEF, Dr. Hamre, created
a standing Joint Task Force for Computer Network Defense
(JTF-CND) and directed each service to stand up a component
force; Navy complied by creating a new command, the
Navy Component Task Force for Computer Network Defense
(NCTF-CND) on 31 Jan 1999.
NCTF-CND conducts continuous IA vulnerability
alerts, implements Information Operations Conditions
(INFOCONs), and works directly with the Joint Task Force
for Computer Network Defense (JTF-CND), now known as
the Joint Task Force for Computer Network Operations
(JTF-CNO). NCTF-CND's mission is to coordinate the defense of Navy computer
networks and systems.
This includes Navy defensive actions with non-government
agencies and appropriate private organizations.
NCTF-CND is our single point of contact for detecting,
protecting, reacting and responding to threats against
It has authority to initiate and coordinate reactive,
proactive and precautionary defense measures.
It is also charged with monitoring the status
of Information Assurance Vulnerability Alert (IAVA)
incidents, NCTF-CND directs and coordinates restoration
of the networks while maintaining network functionality.
As the central collection point for Navy incidents,
NCTF-CND is responsible for oversight, coordination
and correlation of disparate computer and network incidents.
its creation, the NCTF-CND has issued twenty-eight directive
IA vulnerability messages to mitigate computer network
NCTF-CND also conducted a Navy-wide INFOCON exercise
in late 1999, the results of which contributed greatly
to our understanding of the operational impact of INFOCONs
and the need for detailed response procedures.
According to statistics maintained by the Joint
Staff, Navy has a perfect record of following up and
enforcing such directives.
However, I candidly acknowledge that the vulnerabilities
of which I speak are only one mis-configuration away
from reappearing, so we must stay ever watchful because
people do make mistakes.
To aid us in this process, NCTF-CND has the authority
to conduct "on-line surveys" whenever and wherever it
sees the need.
An "on-line survey" maps a network segment to
evaluate which ports are open, which aren't, and overall
what's right and what's not.
the operating level, our Fleet Information Warfare Center
(FIWC) is responsible for the detection and remediation
of computer incidents. FIWC conducts intrusion detection, incident reporting, and
runs the Naval Computer Incident Response Team (NAVCIRT). FIWC works directly with other service, agency and commercial
incident response teams to leverage the solutions and
lessons learned for timely response.
FIWC works with the Numbered Fleet Commanders
and Battle Group Commanders to conduct aggressive "red
team" efforts during Joint Task Force Exercises. In this way, we can detect IA problems, conduct on-the-job
system administrator training under IA stress conditions,
and heighten IA awareness as part of deployment preparations.
FIWC also leads an extensive partnership with
our Naval Reserve forces oriented on maintaining the
security of our publicly accessible web sites.
In a perfect "total force" application, we use
reservists, during their scheduled drill periods in
their home drilling centers, to access and review each
of the Navy's over-1500 public websites every year.
These reviews encompass administrative, privacy
and operations security requirements and use web tools
to automatically generate specific deficiency notices
to webmasters, enabling them to correct problems in
real time. FIWC
supervises and coordinates the release of these notices,
which provides webmasters with 24x7 help desk support
if they have questions.
have worked hard to improve and keep our policies relevant
in the information age.
The overarching Navy IA directive was completely
updated last year, and it made provision for a series
of technical security publications, much easier to create
and update, to stay current with the technology.
We've issued sixteen of these policy directives-all
accessible over the web, of course.
Navy and Marine Corps together issued the first
formal policy defining the requirements and configurations
for firewalls, a foundation the Joint Staff is now building
on to embrace the entire Defense Department.
Most recently, we issued a policy regarding the
use of portable electronic devices such as personal
data assistants (PDAs) in our networks.
In a macro sense, our policy is simple-we want
to take maximum advantage of the phenomenal power of
information technologies to accomplish our combat and
combat support missions, yet understand and make provision
for the fact that each of these technologies is a sword
that cuts both ways-all the power for good operators
is also potential power for adversaries.
We balance the good and evil, mitigate risks
as we can, remain ever vigilant and train our people
to be the best.
this policy approach, we employ the kinds of tools I've
alluded to earlier to protect our information, detect
intrusion attempts, and react/recover as necessary.
When it comes to protecting our information,
the first line of defense is NSA-provided cryptography.
Without belaboring the point, there are now over
400,000 such cryptographic products of varying types
in our inventory for voice, video and data; for Navy,
Joint and Allied/coalition use.
We are working closely with the NSA on a cryptographic
modernization road map; I ask your support for the NSA
road map to modernize the cryptography, which is the
true linchpin to protecting classified information.
Related to but distinct from this cryptographic
modernization effort is the Defense Department's implementation
of a Public Key Infrastructure (PKI), which can and
will become a powerful implement for authenticating
our transactions, ensuring the integrity of our data,
and guaranteeing that we are who we say we are online.
We are committed to getting PKI right, but I've
come to appreciate that it isn't the "PK" part that's
hard, it's the "I" part-it will take us time to scale
PKI across the whole of the DOD infrastructure, and
it will take new money to recode our service applications
to "recognize" PKI, which otherwise is nothing more
than a string of gibberish.
arena of detecting malicious activity is challenging.
One notable item relates to development of an
Intelligent Agent Security Module, a smart detector
that doesn't rely on a priori information as today's
intrusion detectors do; we have received initial Congressional
funding for this R&D and are pushing it hard.
Finally, the business of reacting to intrusions
is dependent on broad situational awareness, as you
have to know what the good guys and bad guys are doing
if you want to prevail.
So, we built our NCTF-CND organization from the
start to be linked with both our network managers, our
intelligence assets and, importantly, we put billets
into its force structure to oversee computer network
are encouraged that USCINCSPACE has recently expanded
the scope of its computer network defense Joint Task
Force to include all computer network operations.
I turn to our NMCI initiative which, by the way, was
designed with network security in mind from the outset,
I'd like to spend a few more minutes on our IA training,
because we get more network security from each dollar
we spend training Sailors than we do from all the firewalls,
access controllers and intrusion detection systems put
we've committed ourselves to an unending training crusade,
one that strengthens our defenses, keeps faith with
our people and, interestingly, improves retention.
It is a fact that the more we train our IT people,
the more they stay Navy-after their first enlistment,
after their second enlistment, and even after their
Since we instituted this training regime, these
Sailors have clearly exceeded all Navy averages.
We do a lot in this crusade, but I'd like to
highlight only three areas.
First, we have created four core courses for
our information professionals, from apprentice-level
systems administrator through masters-level network
analysts, and we teach these courses in a number of
places, where the Sailors live; we also make extensive
use of commercial training products to supplement these
core courses. Second, we're in the second year of a partnership with Tidewater
Community College to take teams of young Americans from
the point of enlistment to holders of an Associate of
Sciences degree in Information Technology in just one
they complete this program, together, they serve the
rest of their six-year obligations in the same Battle
Group, forming a true team that makes the entire Battle
Finally, we now view training requirements through
the lens of the deploying Battle Group Commander instead
of the traditional personnel rotation and distribution
means that, at the outset of the deployment planning
process, we define all the IT skills the Battle Group
will need when it casts off the last line and deploys,
then we bend the training world to these needs, distinct
from and of a higher priority than the normal "you get
school only when you transfer" process. By this means, we have a much greater assurance that our naval
forces will be able to defend their networks just as
they defend their ships in the world's littorals.
is the shore component of the naval network; it will
provide capabilities for state of the art voice, video
and data information services from a commercial provider. Our vision is to build the modern Navy and Marine Corps on
the transformational power of networking, and we will
do this by the merging of the many dissimilar networks
currently deployed into a single, seamless and integrated
network across the Navy's shore-based infrastructure.
Through increased access to information and the
power of collaboration across the Navy's mission and
functional areas, NMCI together with IT21, will support
innovative work and training to improve the productivity
and quality of service for every Sailor, Marine, and
DoN civilian employee.
of hardware, software, training and operational procedures
for network management will vastly improve information
security, interoperability at all levels, while enhancing
our capabilities for information superiority.
The creation of a single contract for the majority
of the Navy's shore-based IT network costs will optimize
the cost per unit for IT services by increasing accountability
and visibility of IT assets.
where we are in realizing these goals.
On October 6, 2000 we awarded a five-year firm
fixed price contract to Electronic Data Systems (EDS).
The process for transitioning Navy networks to
the new NMCI environment began in December 2000 when
EDS assumed responsibility for managing a portion of
the Navy's "as-is" networks.
To date EDS has assumed responsibility for over
43,000 seats in the "as-is" state and current plans
call for these first increment seats to cutover to the
NMCI environment in mid-June.
of the first two network operations centers and help
desks in San Diego and Norfolk are on track and we expect
them to be online before the first new seats roll out
in mid-June. Contractor
testing has already begun in vendor laboratories and
will continue at the designated test sites this spring
and early summer.
We plan for the Commander, Operational Test and
Evaluation Force (COMOPTEVFOR) to start operational
testing immediately following the completion of contractor
Interoperability Test Command (JITC) will be conducting
interoperability testing of joint applications concurrently.
Navy/Marine Corps Intranet is a unique opportunity for
the Department of the Navy to make a dramatic leap forward
in security. First
of all, it's important that the NMCI contract is constructed
with service level agreements (SLAs) requiring the vendor's
compliance in order to be paid the full price for seat
agreements are directly related to security, with measurable
attributes for which metrics will be collected, enhancing
our information assurance posture in a number of ways.
We will consolidate hundreds of disparate networks throughout
the Department, providing us with a Navy and Marine
Corps-wide, trusted intranet protecting our information
from outside attack.
NMCI's security requirements will bring the DoN into
alignment with the "defense in depth" concepts in the
Joint Global Information Grid (GIG) architecture.
DoD Public Key Infrastructure (PKI) will be integral
to NMCI and bring the DoN into compliance with DoD mandates
for PKI implementation.
As NMCI consolidates hundreds of disparate networks,
we will achieve, for the first time, a Navy/Marine Corps-wide
network intrusion detection and monitoring capability.
NMCI's six network operations centers (NOC) and the
co-location of NCTF-CND, the Navy's Computer Network
Defense command; Commander Task Force NMCI (CTF NMCI)
and the Marine Corps Information Technology Network
Operating Center (MITNOC), the two services' commands
charged with command and control of the network, will
significantly improve our visibility into the department's
networking infrastructure and our ability to defend
summary, improved security is probably the greatest
value-added by NMCI.
The NMCI architecture framework defines four
defensive "boundaries" in conjunction with
our overall IT defense-in-depth strategy, ranging from
the external network boundary to the application layer. These boundaries will be used to define specific, layered security
NMCI guidance also delineates security requirements
for technical and quality of service standards.
The requirements encompass content monitoring,
content filtering, virtual private network (VPN) and
encryption standards, standards for PKI-enabled applications,
and web security.
Further, the NMCI sets the qualification standards
required for contract systems administrators and network
Teams" are also established under the NMCI to determine
the effectiveness of contract fulfillment toward security
requirements and to perform ongoing network vulnerability
and risk assessment.
A "Blue Team" will verify security
configuration management and approve all security architecture
choices and security procedures.
The NMCI vendor will be responsible for providing
raw data that will be analyzed by Navy to determine
whether an incident has occurred as well as the magnitude
of any incident.
None of these security measures can be guaranteed
without an intranet of common standards and required
quality of service.
the beginning of this year, Navy has recognized nineteen
computer network incidents on unclassified systems.
Our experience with these and past intrusion
attempts validates the importance of maintaining a technically
astute, responsive IA organization at a Service level.
Although we train our System Administrators to
run their systems as securely as possible, and we keep
them up-to-date with IAVAs, NAVCIRT advisories, and
other timely technical information, there is always
variation in local procedures, complex software version
upgrades, and network reconfigurations.
With NMCI, centralized system administration
will give us the ability to dynamically and remotely
implement (i.e., "push") "best practices",
countermeasures, and secure network configurations to
permit a near-real time, technologically uniform implementation
of IAVAs and technical advisories Navy-wide.
For example, while local commands would continue
to author the content of organizational web pages, the
web pages themselves would reside on uniformly and centrally
configured NMCI servers-configured in accordance with
DoD/DoN best practices.
Vulnerability to web page "hacks" will
be uniformly mitigated across the enterprise.
will also accelerate the desired proliferation of Class
3 PKI-enabled web pages and authentication measures
for appropriately authorized access to, and modification
of, Navy web sites.
The uniform implementation of PKI/certificate
authorities and anti-virus signatures in NMCI will considerably
reduce risks of external intruder root access gained
by the "sniffing" of passwords, and from unsolicited
e-mail with malicious attachments or "Trojan horses",
such as last year's "Melissa" episode.
conclusion, we've done a lot and continue to work hard
at improving Navy network security, and we do so in
close collaboration with the other services and DOD
power of the worldwide web-you can reach out and touch
anywhere-is also its weakness, and the United States,
with almost half of the world's computing resources,
is a gigantic target for amateurs and those who would
do us harm. You've
received many statistics regarding how many probes,
events, intrusions and losses of positive control occur.
Navy is no exception.
The National Infrastructure Protection Center
(NIPC) predicts that any vulnerability, once created,
will be exploited within eight hours, and I believe
it. A few months ago, a server at a Naval facility was mis-configured
during routine system clean-up and restoral.
This facility was NOT a high value or even high
interest target, yet the vulnerability created was,
in fact, exploited within eight hours, and the intruder
gained root privileges in that system for a short time,
just as NIPC predicted.
Thomas Jefferson once said, "Eternal vigilance
is the price of freedom."
It has never been more true than in this age